[Dovecot] TLS/SSL for Win8 & Outlook

Robert Schetterer rs at sys4.de
Thu May 8 20:54:18 UTC 2014 

Am 08.05.2014 22:25, schrieb Robert Schetterer:
> Am 08.05.2014 21:29, schrieb Sebastian Goodrick:
>>> perhaps this has impact...just an idea
>>
>>
>>> http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx
>>
>>>  so my specutlation, on win 8 fips mode enabled ,is default
>>> currently, ( please verify this ) , but it should be disabled be
>>> causing too much trouble...
>>
>> On my fresh install of Win8.1:
>>
>> HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy
>> Enabled=0
> 
> hm..
> 
>>
>> Indicating that FIPS mode is disabled. As far as I understand FIPS it
>> disables certain ciphers / protocols. However, my new dovecot/OpenSSL
>> version provides more and stronger ciphers, so FIPS shouldn't be an
>> issue (well, in theory).
> 
> definiton of "strong" maybe variable
> my speculate was, it leaves too less ciphers left
> 
>>
>> Regards
>> Sebastian
>>
> 
> i will test this now with my win8 and new dove installation, but it will
> take time doing endless win upgrades in the vm first
> 
> 
> Best Regards
> MfG Robert Schetterer
> 

meanwhile from

http://social.technet.microsoft.com/Forums/office/en-US/5a8df31b-ef3a-4f42-9776-8ca3200574c7/error-when-using-smtp-with-tls-windows-8-outlook-2013?forum=outlook

...
System cryptography: Use FIPS compliant algorithms for encryption,
hashing, and signing"

as found in

Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options

which as per description does

This policy setting determines whether the Transport Layer
Security/Secure Sockets Layer (TLS/SSL) Security Provider supports only
the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite.

that needs to be disabled for Outlook.com's SMTP TLS to work.

or, looking at the registry: FIPSAlgorithmPolicy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SecEdit\Reg
Values\MACHINE/System/CurrentControlSet/Control/Lsa/FIPSAlgorithmPolicy/Enabled
...


any thoughts about that ?

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the dovecot mailing list